Websites Fail to Protect Users. How to Take Virtual Security Into Your Own Hands?

You might hear cyber security experts tell you that you shouldn't visit websites or follow links or open emails you don't trust. But what do they mean by "trust" exactly? Do you think about how a particular service provider is going to handle your information while you're registering an account, for example?

Most of you probably don't which is great news for the hackers. If more people were aware of the fact that their privacy and security is put in peril, more people would have demanded better defenses, and the service providers would have had no other choice but to up their game. Instead, the vendors don't care, and it's not until it's already too late that people start to realize how bad things are. Here are just some of the mistakes website operators make.

Poor adoption of HTTPS

HTTPS stands for Hypertext Transfer Protocol Secure, and it was first introduced way back in 1994. An evolution of the regular HTTP, it encrypts the data that flows between your PC and the server of the website you're visiting. Although it's now 24 years old, there are still people who don't understand how important it is to serve information over HTTPS.

In addition to scrambling your usernames, passwords, and the rest of the data you post online, it also prevents people "in the middle" from altering the content you're seeing. If the connection isn't secure, anyone from the government, through your ISP, to a crook can modify the pages and send you ads, misleading information, or even malware.

It should have become the standard long ago, but it still isn't. In fact, it wasn't until January 2017 that the volume of encrypted web traffic surpassed the volume of HTTP-relayed information. At the moment, it is estimated that more than 70% of the connections are secured, yet, according to security expert Scott Helme, half of Alexa's Top 1 million websites, the ones that really matter, are still served over plain HTTP.

In the past, owners of websites, especially smaller ones, had a valid excuse. To have information flowing over HTTPS, you had to buy a certificate that used to cost a few hundred dollars per year, and you had to make sure that you renew it before it expires. Right now, thanks to an organization called Let's Encrypt, setting up a secure connection for your website is both free and easy.

In actual fact, Let's Encrypt's free certificates have had a profound effect on HTTPS' adoption rates, but this clearly isn't enough which is why, a few weeks ago, Google launched the 68th version of its Chrome browser and introduced a small but significant user interface tweak.

In the past, Chrome would display a green padlock next to the URL to indicate that the website was served over HTTPS. If the connection was not secure, the browser would display a "Not secure" warning only if there was a login form or a credit card field on the page. Starting with Chrome 68, all HTTP websites are marked "Not secure," and the green padlock is now gone which clearly shows what Google's intentions are – ridding the world of HTTP websites and establishing HTTPS as the norm. If anyone can do that, it's Google.

As you can see, many websites still can't establish a secure tunnel through which our information can travel. Sadly, the problems don't end there.

Data storage blunders

About a month ago, it became apparent that a marketing company by the name of Exactis has been harvesting a truly horrifying amount of data on no fewer than 340 million individuals. In addition to trivial stuff like your home address and your email, the records included things like whether or not you have pets, whether or not you smoke, and whether or not you like baseball. And how did we find out that Exactis had gathered all that data? Well, it was left in a database that was publicly facing the Internet and was not protected by a password.

Parallels were inevitably drawn between Exactis and Equifax. That's because both organizations were responsible for handling vast quantities of data, and both failed spectacularly at securing it. The difference is that in Equifax's case, there is evidence that criminals actually stole the data, and that it was an unpatched web application rather than an unprotected database that exposed people's details.

These, of course, are just two examples. There are many other organizations that have lost or are about to lose users' data because of negligence, and the really bad thing is, there is nothing to tell you whether one website is better than the next.

Transparency is actually a really big problem when it comes to data storage. There are, for example, known good and bad practices when it comes to keeping users' passwords safe. Yet, can you think of a single website where, upon registering an account, you read "Your password will be salted and hashed using bcrypt before it's stored" for example? No? Neither do we.

It wouldn't have been that bad if there was an established standard that everybody follows, but there isn't one, and often, after the attackers hit, it turns out that your password wasn't correctly stored, and there's absolutely nothing you could've done about it.

Encouraging the user to be less secure

All the problems are rooted in the fact that way too many website operators aren't actively interested in cyber security. Often, they implement certain features and rules just because ten years ago, they heard that this will make you more secure. In reality, quite a few things have changed over the said ten years, and right now, instead of better protecting you, they are inadvertently making you do things that compromise your security.

Take password expiry policies as an example. Indeed, you are more likely to find them in your office, but there are still websites that impose stricter than necessary rules on when you need to change your password. If you don't use a password manager, forgetting the old password and remembering a completely new one is a serious nuisance which is why, you just think of a simple password, and every time you need to change it, you just add a "1" to it. Either that, or you compile a selection of, say, five passwords which you rotate – a practice that completely negates any possible positive effects of the password expiry rule. For the last couple of years, experts and even UK's National Cyber Security Centre (NCSC) have been urging websites and companies to ditch their password expiry policies because they simply don't work. Unfortunately, many website operators just don't seem to listen.

This is probably because they're too busy disabling the paste function in the password field. Why is this so bad? It's common knowledge that dedicated password management applications like Cyclonis Password Manager are the best way of handling all your login credentials both in terms of security and convenience. Good password managers can create and remember complex, unique passwords, and they can also fill them in whenever you need them. A no-paste rule disrupts the autofill functionality.

It might sound like a minor inconvenience, but in actual fact, the alternatives you're left with are either manually typing in the long string of letters, numbers, and special characters, or relying on your own brain to create and memorize a password which, in all likelihood, is going to be weak. The first option isn't very convenient, and the second one isn't very secure. Once again, the NCSC's experts have urged websites to stop this practice, and once again, their pleas are mostly falling on deaf ears.

And while we're still on the subject of passwords, we can't overlook the weird password requirements we see sometimes. We have seen websites that forbid the use of special characters, for example, and there are also those who let you use only a specific selection of symbols.

The length requirements are where most websites fail catastrophically, though. If you're signing up for an account and are forced to create a password that is less than twelve characters long, you might seriously want to consider whether to continue with the registration. Similar length requirements not only prevent you from choosing a strong enough password, but they also could indicate insecure storage of the password itself.

We can't discuss password length requirements without mentioning the good old Wikipedia. Most websites won't let you create passwords that are less than 6 or 8 characters long. It would have been nice if this number was higher, but operators apparently understand that making users create longer passwords will result in a lot of frustration. With Wikipedia, there are no such problems.

The world's fifth most popular website according to Alexa and the trusted friend of students the world over will let you create an account with a password that's 1 character long. No, it's not a typo. Go and try it yourself if you want to. Just make sure you don't leave the account vulnerable for long.

Websites and service providers don’t do enough to protect you. What can you do about it?

Some would say that when it comes to the World Wide Web, there's no such thing as complete protection. We can tell you that there is. We must also warn you, however, that it involves unplugging the ethernet cable, powering down your PC, and swapping your apartment or house for a cave.

If that's not the path you want to go down, and we suspect it probably isn't, you can do little more than apply common sense to everything you do on the Internet. Start by improving your passwords and turning on two-factor authentication wherever possible. Keep backups of your important data, update your software, and be sure to protect your computer. Last but not least, try not to share too many personal details. After all, if a piece of information isn't available online, it can't be compromised by hackers.